Unable to read headers from HTTP requests

security

(Russ) #1

Hello,

I've come across a problem when writing a custom authentication Shield module in that headers do not seem to be accessible from the plugin. Here's what I've got:

In the CustomRealm itself, I've got a method like this:

public CustomAuthToken token(RestRequest request) {
// my code here
}

All that my code is doing at the moment is looking to see if a particular header is set in the request. Unfortunately, I can't see any headers in the request. I am definitely setting one (using Firefox Poster and curl as clients). When I print out the number of headers in the request, it is 0.

To try and solve the problem I've enabled the headers in the HTTP module (although this is for CORS rather than standard HTTP requests, but I wanted to rule it out).

The plugin is working fine and the method is being invoked when I send an HTTP request into Elastic, it is just that it claims to have no headers where there are some.

This is for ElasticSearch and Shield 2.3.

Many thanks,
Russ.


(Jay Modi) #2

In the constructor of your realms factory, can you try this:

@Inject
public CustomRealmFactory(ShieldSettingsFilter settingsFilter, RestController restController) {
    super(CustomRealm.TYPE, false);
    this.settingsFilter = settingsFilter;
    restController.registerRelevantHeaders("your header name");
}

(David) #3

Hello,

I have the exact same problem as rmartin. I have tried the possible fix suggested by jaymode but it unfortunately had no effect. I am wondering what my next step should be.

Dave


(Jay Modi) #4

@daveh @russ are you both using the RestRequest#header method? There is a getHeader method but it will not contain the headers you are seeking (its confusing and will be changing in 5.0).


(Russ) #5

Hi @jaymode,

Yep, that's the method I'm using. What is that method supposed to be for? Is there a way to get the headers from an HTTP request? If it's not possible, what would you recommend as an alternative? I could put the necessary info in as a parameter instead, perhaps?

Thanks,
Russ.


(Jay Modi) #6

The RestRequest#header method is how Shield gets the Authorization header. When you register your custom header, is it registered in the same case that you used it? In the example realm we do the following: https://github.com/elastic/shield-custom-realm-example/blob/2.3/src/main/java/org/elasticsearch/example/realm/CustomRealm.java#L100-L109

How does that compare with your code?


(Russ) #7

Yes, that was it. I picked the wrong headers method.

Thanks @jaymode


(David) #8

Sorted, thanks for the help


(system) #9